Problem with stripslashes()

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
sejf83
Forum Newbie
Posts: 20
Joined: Fri May 19, 2006 3:53 am

Problem with stripslashes()

Post by sejf83 »

Hi all,

I have a form the posts variables to a processing page. On the processing pages, I am making the posted variables into $_SESSION variables so that I can prefill the form and return the user to it in case there are submission errors. I am running the following code to process the posted variables:

Code: Select all

function clean($input, $maxlength)
{
    $input = substr($input, 0, $maxlength);
    $input = EscapeShellCmd($input);
    return ($input);
}

// Get and clean the user inputs
$fileTitle = clean($_POST["fileTitle"], 50);
$fileDesc = clean($_POST["fileDesc"], 1000);

//Create an array to hold the form variables in case there is a submission error
$_SESSION["formVars"]["fileTitle"] = $fileTitle;
$_SESSION["formVars"]["fileDesc"] = $fileDesc;

   if(empty($_SESSION["formVars"]["fileTitle"]))
      $_SESSION["formErrors"]["fileTitle"] = "<span>You must give the document a title</span>\n";

   if(empty($_SESSION["formVars"]["fileDesc"]))
      $_SESSION["formErrors"]["fileDesc"] = "<span>You provide a description of the file</span>";
   if(!empty($_SESSION["formErrors"]))
   {
      header("Location: addFile.php");
   }
If the user is returned to the form, I am running the following code to prefill the form fields with the values he/she originally entered:

Code: Select all

//Define a function to process form errors
function fieldError($fieldName, $formErrors)
{
   if(isset($_SESSION[$formErrors][$fieldName]))
      echo "<span>".$_SESSION[$formErrors][$fieldName]."</span><br />";
}

<form name="addFile" action="addFileProcess.php" method="post" enctype="multipart/form-data">
<table cellspacing="10">
<tr>
<td>File title:</td>
<td><?php echo fieldError("fileTitle", "formErrors");?><input name="fileTitle" type="text" size="40" maxlength="50" value="<?php echo stripslashes($_SESSION["formVars"]["fileTitle"]);?>"></td>
</tr>
<tr>
<td>File description:</td>
<td><?php echo fieldError("fileDesc", "formErrors");?>
<textarea name="fileDesc" cols="32" rows="8"><?php echo stripslashes($_SESSION["formVars"]["fileDesc"]); ?></textarea></td>
</tr>
</table>
</form>

<?php  
unset($_SESSION["formVars"]);
unset($_SESSION["formErrors"]);
?>

The problem is that stripslashes() is not stripping the backslashes added with the "clean" function. I can't figure out where I am going wrong, as the function works fine on values pulled from a database.

Can anyone help? Here is a link to my phpinfo() page...

http://lab.slais.ucl.ac.uk:8036/~p100saj/check.php

Thanks.
User avatar
MarK (CZ)
Forum Contributor
Posts: 239
Joined: Tue Apr 13, 2004 12:51 am
Location: Prague (CZ) / Vienna (A)
Contact:

Post by MarK (CZ) »

As I look in the documentation, EscapeShellCmd() doesn't seem to be the best option, since it escapes all these characters: #&;`|*?~<>^()[]{}$\, \x0A and \xFF.

Why do you actually want to escape it? I think that $_SESSION variables don't have to be escaped.
choppsta
Forum Contributor
Posts: 114
Joined: Thu Jul 03, 2003 11:11 am

Post by choppsta »

Your PHP configuration has magic_quotes_gpc on. This means all your $_GET, $_POST and $_COOKIE variables automatically have slashes added to them. You're then using escapeshellcmd() which then adds some more slashes. Therefore when you strip slashes you're left with one set of slashes.

This highlights exactly why magic_quotes_gpc is a bad idea because it gets very confusing!!
User avatar
jayshields
DevNet Resident
Posts: 1912
Joined: Mon Aug 22, 2005 12:11 pm
Location: Leeds/Manchester, England

Post by jayshields »

Instead of your clean() function, why not set the maxlength attribute in your HTML form inputs, and then just use mysql_real_escape_string() on the POST'd data?
User avatar
MarK (CZ)
Forum Contributor
Posts: 239
Joined: Tue Apr 13, 2004 12:51 am
Location: Prague (CZ) / Vienna (A)
Contact:

Post by MarK (CZ) »

You really can't depend on maxlength attribute, any html can be changed by user.
Input checking must take place at least on server, clientside test is optional..
sejf83
Forum Newbie
Posts: 20
Joined: Fri May 19, 2006 3:53 am

Post by sejf83 »

Perhaps I could strip all of the slashes with a str_replace instead?

I keep generating an error with this code:

Code: Select all

str_replace("\", "", $_SESSION["formVars"]["fileDesc"]);
How can I replace the slashes with nothing? Or is that possible?
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

This would solve your problem..

Code: Select all

foreach ($_POST as $key => $value)
{
    $_POST[$key] = stripslashes($value);
}
Placed at the top of your scripts..
sejf83
Forum Newbie
Posts: 20
Joined: Fri May 19, 2006 3:53 am

Post by sejf83 »

Hmm...that didn't help.
User avatar
jayshields
DevNet Resident
Posts: 1912
Joined: Mon Aug 22, 2005 12:11 pm
Location: Leeds/Manchester, England

Post by jayshields »

MarK (CZ) wrote:You really can't depend on maxlength attribute, any html can be changed by user.
Input checking must take place at least on server, clientside test is optional..
What do you mean HTML can be changed by any user? Ok, the user could make a HTML form which sends the data to your script, this data could be too long for your script to handle, and will produce errors if the database field it's being put in is too small to hold it. What would the user gain from doing that?

You are correct in stating that validation should take place atleast on the server, I'm not disputing that.
User avatar
MarK (CZ)
Forum Contributor
Posts: 239
Joined: Tue Apr 13, 2004 12:51 am
Location: Prague (CZ) / Vienna (A)
Contact:

Post by MarK (CZ) »

Let the db field be eg. TEXT. It can hold up to 2^16 - 1 characters, so it probably won't produce any error, just fill your db with some unwanted crap.. Always better to check what you get.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

jayshields wrote:Ok, the user could make a HTML form which sends the data to your script, this data could be too long for your script to handle, and will produce errors if the database field it's being put in is too small to hold it.
MySQL would just truncate it, without throwing an error.
Post Reply